How to set up VLAN network

vlan

Solution 1:

As Joeqwerty already noted, you're approaching this with an inadequate fundamental understanding, combined with vaguely-defined goals. You are setting yourself up for failure, downtime, and security holes. Rather than just answering your questions as asked I'm going to indulge in a little "vLAN 101" tutorial which might be a bit more useful for you.

You seem to have a few fundamental misconceptions about vLAN segmentation and how it fits into network architecture, so let's roll ALLLLLLL the way back to the beginning for a minute:

From a network architecture level you can take the very simplistic view that a vLAN is nothing more than a separate switch, not connected to any other switch (vLAN).

If you look at vLANs in this way it becomes relatively clear how to use them: When you don't want machines in Group A to be able to talk to machines in Group B you put them in separate vLANs, and force them to traverse a router (ideally one with firewall functionality) to talk to each other.
Under nearly all circumstances it's better (and easier) to do this by also putting the machines in different IP networks (subnets) -- Machines within a vLAN are in the same subnet, and can chat amongst themselves as much as they want, but if they want to talk to someone outside their vLAN it's also going to be outside their subnet, so they get handed off to their default gateway, which can handle the security concern of who can talk to whom under what circumstances.

So vLAN architecture in 11 easy steps:

  1. Figure out which machines form logical groups. These are your vLANs
    In a very simple environment this could be Web Servers and Database Servers.
    In more complex environments you may have lots of groups, and you may combine multiple groups in a single vLAN -- This is an architecture decision you have to make.

  2. Figure out an addressing scheme that suits your vLANs.
    If you're supremely lucky every vLAN will fit into a /24 and you'll be able to build a topology based around that. If you aren't that lucky figure out which vLANs need bigger (or smaller) blocks.

  3. Draw what you have done so far on paper.

  4. Figure out which vLANs need to talk to each other.
    What ports/services should be open between vLANs/Networks?
    What other conditions need to exist for your environment to function?

  5. Draw what you came up with on paper. Make sure it's sane, then convert it into firewall/router policy.

  6. Draft a firewall/router configuration. Ideally play with it in a test environment.

  7. Draw your switch on paper and map which ports will go to which vLANs.
    It's helpful to physically group connections so that they're in the same logical vLAN, but this isn't strictly necessary.

  8. Turn your switch drawing into a switch configuration. Ideally play with it in a test environment.

  9. Clean up your drawings on paper. The logical drawing should look somewhat like this:
    Network Diagram
    (The image has been shrunk to obscure stuff you don't need to read)

  10. Get someone else to look at your design.
    You can ask on Server Fault, but it's better if someone familiar with your environment looks at it as they're more likely to catch potential breakage.

  11. Take a weekend and turn your logical design into a physical reality.
    (It should go without saying that you should have a rollback plan in case things go horribly wrong, but I'm saying it anyway.)

(If you are VERY good you might be able to skip some of the "Draw it on paper" steps above, but I don't recommend skipping that your first time.)

Re: the two specific questions you asked:

1)How can I segment this network with minimum down time on the devices already on the network?

You can't. Breaking your network into vLANs will require an outage window - you will have to reconfigure your switch, move machines into different logical networks, configure routing, probably move some cables around, etc. etc. etc.
Plan for an outage starting at 5PM Friday and extending over a weekend, ESPECIALLY if this is your first time designing a properly segmented network - you will spend some time debugging things that break.

2)Can I just create Vlans and leave all these Vlans in the same laye 3 network so that they can go out of the network (I am not not concerned about Vlan routing) or I have to create subnets which means reconfiguring the existing devices (something I do not want)

Can you? Yes.
Will it buy you anything in terms of security? Not really.
Will it make the entire project 10 times harder? Absolutely.
Should you design a network this way? NO.

Solution 2:

How can I segment this network with minimum down time on the devices already on the network?

Leave the current network as the default VLan. For each device that is being moved to a new VLan, reconfigure its port and change its address information to the corresponding subnet one device at a time.

Can I just create Vlans and leave all these Vlans in the same layer 3 network

No. This is entirely against the very concept of a VLan.

(I am not not concerned about Vlan routing)

You must providing routing between VLans for devices on different VLans to communicate.

or [do] I have to create subnets which means reconfiguring the existing devices (something I do not want)

Then you may not desire to have VLans.

Related

No IPv6 & DNSSEC support on cc-TLD? (practical implications)
Why do people use 172.x.x.x instead of 192.x.x.x [closed]
Is it safe to allow inbound 0.0.0.0/0 on EC2 security group?
AWS RDS MySQL Slowing down over time
Internet is a series of tubes? [closed]
Pros/Cons of switching from Exchange to GMail
How can I open a file whose name starts with "-"?
When a startup should hire a sys admin?
lots of dns requests from China, should I worry?
Lowercase variable values in a Puppet template
MTU on server accidentally set to 0, can't ssh into it?
Is mv with wildcard still atomic